MDR and SIEM

MDR and SIEM are different, and they both have value. There’s a large trend in the space now where people are devaluing a managed SIEM practice and focusing instead on the MDR practice.

We love MDR. It’s hyper important for the questions we have, questions around the host and what actually took place on the host. You can absolutely answer those questions with an MDR service.

Now, that does not devalue a managed SIEM service. There’s still value in aggregating our logs in one place and value in behavioral-based logic that comes across multiple log sources as well as empowering threat intel with a SIEM. There’s value in leveraging SIEM in an incident or malware investigation, but MDR also has a lot of value in that case. And it can’t be understated.

They really both have their place and can exist simultaneously. It’s like saying ‘should I have firewall logs or should I have security logs from my domain controller’? You shouldn’t have one or the other. They’re both helpful.

Using The Tools

If you’re going to do them in-house and you have a team to manage your EDR independently and also manage your SIEM independently, or if you need a provider because you don’t have the team-depth or need a provider for 24/7 services that you can’t support internally, then do that.

But when it comes to MDR, you are empowered to see what’s happening on the host and potentially do some light-level remediation. That’s something you can’t do with a SIEM. When it comes to a SIEM, you can’t step back and see your firewall logs vs your DNS logs. It’s all from a birds eye view of your network - you’re sort of honed in to that host-level view.

Now many EDR products allow you to do enterprise-wide searching but usually you have to have a starting off point. You either have that one infected host or now you can look for that executable or service or DLL or whatever your initial piece of information is, you can search laterally through your enterprise for that same piece of information. You can even have some heuristic behavioral-based rules in an EDR tool via an MDR service, but you lose that birds eye view of your entire network. You lose the ability to do any special custom log sources or custom alarming based on niche applications.

They’re both hyper valuable, and they are not mutually exclusive. They actually complement each other.

Tool Capabilities

In short, MDR…

Host level view

Light-level remediation

View by log type

Enterprise-wide, lateral searching

Heuristic behavioral-based rules

And SIEM…

Birds eye network view

Leveraged in incident and malware investigations

Aggregating logs

Behavioral-based logic

Empowers threat intelligence

Custom log sources

Custom alarming

Not MDR vs SIEM

Choosing one tools really limits your team's capability to see incidents from multiple angles. Whether you're thinking about MDR or SIEM, one may be better suited for your setup than the other, but that is highly dependent on your team, current tools, and business.